1

Marc J. ZwillingerElizabeth Banker

Zwillinger Genetski LLPApril 7, 2011

2

Understanding Universities obligations related to Law Enforcement and Civil Demands

Developments in privacy related litigation Lawful Access issues on the horizon for

Universities Other issues for Universities related to

security and privacy

3

Federal, state and local law enforcement issued subpoenas, court orders and warrants

National Security Requests issued under National Security Letter authority, FISA or the FAA

Civil subpoenas issued under DMCA subpoena provision

Civil subpoenas issued in private litigation Requests without legal process:

◦ Deceased students◦ Complaints

4

Family Educational Rights and Privacy Act of 1974, 20 U.S.C. § 1232g; 34 CFR Part 99.

Prohibits disclosure of certain student records without student or parental consent.

Universities may disclose educational records in response to a subpoena or court order with prior notice to the student or parents.

No notice is necessary if: Grand jury subpoena with court order to not provide notice Court order and told not to provide notice AG terrorism court order (ex parte)

Emergencies

5

ECPA has two primary parts:◦ The Wiretap Act (also know as Title III) governs

real-time access to the contents of electronic communications Codified at 18 U.S.C. § 2510 et seq.

◦ The Stored Communications Act (“SCA”) is the portion of ECPA that specifically governs stored records and communications Codified at 18 U.S.C. § 2701et seq.

◦ Other parts of ECPA: Pen Register Trap and Trace Statute, 18 U.S.C. § 3121

6

Governs real-time intercept of electronic and wire communications

Federal law prohibits intercept of communications unless an exception applies:◦ Consent (one party)◦ Title III Wiretap Order issued by law enforcement◦ Protection of Rights and Property of Providers

State wiretaps laws are similar, except:◦ Twelve states require two-party/all-party consent for

a valid exception to the prohibition on intercept

7

Special Issues for Universities◦ Students or School officials recording classes◦ Email scanning for prohibited content/conduct◦ Archiving chat, IM, or other conversations

conducted through interactive webpages How to deal with two-party/all-party consent

requirements?◦ Implied consent◦ Affirmative consent

8

Covered entities defined in SCA are “Electronic Communications Services” (ECS) and “Remote Computing Services” (RCS)◦ ECS defined as “any service which provides to users thereof

the ability to send or receive wire or electronic communications”

◦ RCS defined as “the provision to the public of computer storage or processing services by means of an electronic communications system” What does “to the public” mean? What public services do you offer – just broadband access, or

more? Restrictions on voluntary disclosure of information (for

ECS and RCS) turn on whether University offers services “to the public”

Restrictions on compelled disclosures do not.

9

Statutory Definition Plain Language 1) “contents of a communication while in

electronic storage”

2) “contents of a communication which is carried or maintained on that service on behalf of, and received by means of electronic transmission from a subscriber or customer of the service”

3) “a record or other information pertaining to a subscriber to or customer of such service not including contents under A or B”

4) “name, address, telephone records, session times and duration, length of service, start date, types of service utilized, telephone number or other subscriber # or identity, network address, means and source of payment”

1) contents of messages or emails

2) contents in stored files

3) any non-identity, non-content record kept about a subscriber

4) basic identity information about the subscriber

10

Can be obtained through trial, grand jury or administrative subpoena under § 2703(c)(2)

name & address local and long distance billing records telephone number or other account identifier (such

as username or “screen name”) length & type of service provided Session times and duration Temporarily assigned network address (IP Address) Means and source of payment (cc# or bank acct)

Limited to specifically listed records

11

Scope: ◦ Not content, not basic subscriber

§ 2703(c)(1)(B)◦ Everything in between

identities of connections or email correspondence Subscriber info not specified in 2703 (c)(1)(c) (e.g., DOB,

gender, DL #, etc) Connection information

Obtainable with § 2703(d) court order◦ Issued based on showing of “specific and articulable

facts” of relevance to “criminal investigation”◦ Intermediate standard between subpoena (relevance)

and search warrant (probable cause) Delayed Notice available under § 2705

12

“Electronic storage” defined as1) temporary, intermediate storage incidental to

transmission (§2510(17)(A)); and2) storage of such communication by an electronic

communication service for purposes of backup protection of such communication

Beginning: DOJ view that a warrant was only required for unopened, received email in user’s inbox for 180 days or less. A court order or subpoena used for sent, read, or emails over 180 days old

After Theofel v. Farey-Jones (9th Cir.): Read and saved email was considered a “back up” and required a search warrant if 180 days or less old

13

Sixth Circuit Court of Appeals held in U.S. v. Warshak that the Fourth Amendment protects email content from disclosure to law enforcement absent a search warrant

Court found that individuals have a “reasonable expectation of privacy” in their email content◦ Court left open possibility that provider or employer

terms could eliminate the R.E.P. Decisions about how to implement

◦ Restrict to district◦ Implement nationwide

14

Public provider prohibited from voluntarily disclosing any subscriber records (§ 2702)

Exceptions◦ Consent of originator or addressee/intended recipient◦ To an addressee or intended recipient ◦ to law enforcement if contents inadvertently obtained

& pertain to commission of a crime◦ to person employed or authorized or whose facilities

are used to forward such communication◦ As necessary to protect provider rights and property◦ To NCMEC in child pornography report◦ To government if provider in good faith believes an

emergency exists threatening death or serious physical injury

15

Public provider prohibited from voluntarily disclosing any contents of communications (§ 2702)

Exceptions◦ Consent of originator or addressee/intended recipient◦ To an addressee or intended recipient ◦ To person employed or authorized or whose facilities

are used to forward such communication◦ As necessary to protect rights and property

No prohibition on disclosing records to civil litigant (§ 2702 (c)(6))◦ Subpoena is generally sufficient

16

FERPA allows disclosure of educational records when legal process is issued.◦ If not prohibited by law, notice must be given to the student or parents◦ When is notice forbidden? A court order prohibits notice (e.g., an order

for delayed notice under Section 2705) or statute under which the legal process was issued prohibits notice (e.g. NSLs).

◦ When in doubt? Advise law enforcement of plan to provide notice FERPA allows disclosure of information in response to a civil subpoena with

notice, but ECPA prohibits disclosure of email content to private litigants◦ Disclosure could be allowed if account holder consents

FERPA & ECPA both allow disclosure of records and email content when there is an emergency that puts the physical safety of a person at risk◦ ECPA only allows emergency disclosures to law enforcement. ◦ Be sure to document the nature of the emergency, how the requested

information will help LE and the requesting individual and agency.◦ Also helpful: Emergency disclosure form, Emergency disclosure policy

17

Deceased Users and stored content Freedom of Information Act requests Complaints and requests to identify users

without legal process Internal, on-campus investigations State schools and status as a

“governmental entity” National security process and non-

disclosure requirements

18

ECPA LitigationECPA ReformCALEA UpdatesData Retention Mandates

19

Plaintiffs lawyers are now suing for improper disclosure of records based on claims that the legal process used was illegitmate

Entities sued: Yahoo!, Myspace, Windstream, Comcast

Theory – recipient must insist on proper service of process to make legal process valid – i.e, no out-of-state faxes.

Prediction – not going to be successful, but may not be worth the risk

20

Initially proposed by the Digital Due Process Coalition (DDP), which includes: CDT, Amazon, Google, Facebook, AOL, Microsoft, AT&T SalesForce, Loopt, and others

Need for ECPA reform:◦ Definitions are archaic and hard to apply to Web 2.0◦ Different law enforcement agencies use it and have

different interpretations◦ Different jurisdictions have different interpretations◦ Volume makes it impossible to operate with anything

less than bright lines rules◦ Litigation develops over areas of friction◦ Many, many issues do not seem to be answered by

ECPA

21

1. Technology and platform neutrality

2. All content should be protected under the 4th Amendment standard – regardless of how old it is or whether it has been “opened” or not

3. Data should receive same protection whether it is in transit or in storage

4. Recognize sensitivity of data that deserves 4th Amendment protection

22

1. All content should be protected under the 4th Amendment standard and probable cause should be required – regardless of how old it is or whether it has been “opened” or not

2. Location data, whether historical or prospective should be produced only pursuant to a Warrant

3. The standard for pen registers/trap and trace devices should be heightened

4. Information requests made pursuant to a subpoena should be particularized to an individual or group of individuals, otherwise a 2703(d) Order or greater should be required

23

At least 4 hearings held in 2010 before House Judiciary Committee and at least one in the Senate.

Hill meetings and DOJ meetings have been occurring with increased frequency

DOJ has proposal for reform of NSL provisions (18 USC 2709) which may get linked to these efforts◦ Proposal would clear up uncertainty regarding

ability of FBI to get access to electronic communication transactional records

24

Communications Assistance to Law Enforcement Act (“CALEA”) originally passed in 1994

Mandates that covered providers build capability to intercept communications if presented with a wiretap order◦ Currently covers telecommunications and

broadband FBI “Going Dark” Initiative seeks to expand

coverage Potential Model- Section 12 of UK’s RIPA

25

Lamar Smith (R), House Judiciary Chairman, has had several bills in past and currently working on a new bill

Hearing held in January 2011 Potential scope of data retention obligation:

◦ 6 months to 2 years of retention◦ IP address assignment logs, IP log-in records,

communications transactional records, upload IP information

EU Data Retention Directive implementation◦ Problematic and still controversial in EU, but

provides potential model

26

Child pornography reporting requirements applicable to ECS and RCS under 18 U.S.C. §2258A.

Content complaints and Section 230 Security Breach notice requirements Required security to protect sensitive

personal information◦ E.g. Social Security Numbers

27

marc@zwillgen.comelizabeth@zwillgen.com

?? ??

??

??

??

??

??

????

??